Access tokens

An access token is created when the user first makes a request for access.

Access tokens represent who a user is when performing actions on the cluster and supply the primary owner and group identities during file creation. Access tokens are also compared against the ACL or mode bits during authorization checks.

During user authorization, OneFS compares the access token, which is generated during the initial connection, with the authorization data on the file. All user and identity mapping occurs during token generation; no mapping takes place during permissions evaluation.

An access token includes all UIDs, GIDs, and SIDs for an identity, in addition to all OneFS privileges. OneFS reads the information in the token to determine whether a user has access to a resource. It is important that the token contains the correct list of UIDs, GIDs, and SIDs. An access token is created from one of the following sources:

  • SMB impersonate user
  • Kerberized NFSv3
  • Kerberized NFSv4
  • NFS export user mapping
  • HTTP
  • FTP
  • HDFS
Privilege Attribute Certificate (PAC)
  • Active Directory Kerberos
User identifier (UID)
  • NFS AUTH_SYS mapping